All posts for the month May, 2015

A little background on ASUSWRT. ASUSWRT is the firmware ASUS ships on current routers. It started as a fork of the Tomato firmware project. Tomato is similar to DD-WRT. ASUSWRT-Merlin is an enhanced, and fixed (some), version of the ASUS supplied ASUSWRT.

Post Switch Concerns

After switching to ASUSWRT from DD-WRT I thought I would be losing the ability to serve local DNS. I was wrong. I loaded ASUSWRT-Merlin on my ASUS RT-N66U. After some trial and error configuration I discovered local DNS is alive and well in ASUSWRT-Merlin.

There is one minor caveat in that local DNS only works for DHCP served addresses, unless you further modify the dnsmasq configuration from the command line. I spent a lot of time managing non-DHCP addresses in that fashion with DD-WRT, and want to make management as simple as possible. The dnsmasq service used by ASUSWRT operates as a masquerading forwarding DNS server.

With DD-WRT I had non-DHCP addresses allocated in a certain range (0-99), and DHCP addresses from 100 to 255. Within the DHCP addresses I reserved the first 20 (via DHCP reservations) for our devices. Which let any guests pickup other addresses. Why?

With DD-WRT I broke the DHCP range into two and had QOS rules in place for each group. Guest addresses received tighter restrictions and lower bandwidth. Managing these in DD-WRT was a pain. The ASUSWRT makes it a lot simpler to accomplish the same things.

Local DNS Setup

I couldn’t find any definitive guides on setting this up, only that it could be done. So heres how. Before proceeding, to make things easier, make sure all devices in the ASUS Client list have a name showing up. If the name doesn’t show up, click it’s MAC address (top one) and define it in the pop-up window that appears.

Open the LAN menu, and “DHCP Server” tab. A few things to note:

a) “Enable the DHCP Server” should be Yes.

b) The routers Domain Name can be blank or you can set it to what you want, just don’t use one of the top level domains like com, net, org, etc. I chose “home”. This makes all hosts on my network resolvable as “hostname.home”.

c) Set the DHCP starting and ending range, for example 192.168.1.10 to 192.168.1.150. The subnet and final address are blocked out in the image. For the subnet, it should be the same as the routers defined subnet. If you defined the routers address as 192.168.1.1 then the IP range should be on subnet 1. I don’t use 1.

d) The “Default Gateway” is the gateway that clients will route through.

e) Now the DNS settings need special attention:

If you select Yes for “Advertise routers IP in addition to user specified DNS”, then the routers address will be appended to the DNS address list given to the clients when they lease an IP address. I said “appended” meaning it will be LAST!

So if you want to be able to resolve names on your network without specifying the routers address as the name server to do the resolution (i.e.: nslookup – 192.168.1.1), then you should make sure the Advertise setting is set to No, and put the routers address in “DNS Server 1”. This puts the router in the list FIRST! Apply your secondary (if any) in “DNS Server 2”.

The last thing surrounding DNS, which ties into the router domain defined above, is the “Forward local domain queries to upstream DNS”. This should be No. You don’t want a query for “xbox.home” to be passed up to be resolved at the internet level. You want it to stay on your network.

With DNS setup in this way, your hosts (blah.home) are answered first from the local DNS cache while external hosts (www.apple.com) are answered from your ISP (or OpenDNS, Google, etc) DNS servers.

f) Click the Apply button when done.

DHCP

I typically assign a static address to devices that I want to always be at a certain address (like a printer, NAS drive, etc). I typically setup appliances like streaming players and TV’s with static addresses too since they really don’t need to change.

I still wanted to resolve the problem where these non-DCHP devices (devices with static IP assignments) could be resolved on the network WITHOUT having to modify configuration from the command line. Remember, simple, low maintenance.

To resolve this I changed all devices with static IP’s to DHCP. Bonus that makes device setup simpler too. I then setup DHCP reservations for them within the DHCP pool in a particular range (99 or less). This way I can easily identify “appliances” from computing devices.

a) Set the “Enable Manual Assignment” to Yes.

b) Use the dropdown to select a device, which will have the MAC address or device name (if it was given by the requesting client or defined manually on the ASUSWRT Client list).

c) Set the address (it will default to whatever it was assigned by the server). If you want to change it, change it.

d) Click the + button.

e) Click the Apply button.

Traffic Control

With DD-WRT I had devices setup in ranges with guest range relegated to low bandwidth and peer to peer services blocked. I want the same thing with ASUSWRT. I also had my devices defined with particular classes of service.

The ASUSWRT firmware has defaults based on traffic type, mainly surrounding file transfer.

Once enabled you can delete the default ones, and add custom ones.

I added the peer to peer services using the service name drop down and selecting the common ones. To add, select it, set the priority, and click the + sign icon.

I then added my devices, this time using the Source IP or Mac dropdown. The name will show up if it was offered by the requesting client or was manually defined on the ASUS Client list. This makes it a cinch to add, unlike DD-WRT where you add each device by MAC address only.

Once defined, click the Apply button.

So what about the lower priority guest traffic? With ASUSWRT, any traffic not matching a rule gets routed to the “Low” setting. I have my low and lowest settings set to use very little bandwidth.

I now have ASUSWRT doing everything DD-WRT was doing, and without command line management.

Oh, and now is a good time to backup the configuration using the Administration/Save feature.

Like this:

In this post I explain why I recently chose to leave DD-WRT, and instead opt for the ASUSWRT.

First, DD-WRT (http://www.dd-wrt.com) is an alternative firmware for many routers. It offers many features and benefits over many of the manufacturer firmwares that ship with routers. I’ve run DD-WRT on my primary router for the past 5+ years with a great deal of satisfaction in both features and performance.

Some of the key features I use:

DHCP : This router “standard” feature gives hosts on the network an IP address for a period of time. It manages which host has which address, and the renewals when they expire.

Local DNS : This gives the ability to lookup local hosts on the network by name rather than by their IP address. The version in DD-WRT (DNSMasq) integrates with DHCP giving the ability to lookup names without maintaining a manual table. This was the number one reason I went to DD-WRT.

VPN: Many routers offer Virtual Private Networking. With VPN a secure connection can be made to the router from anywhere with Internet access such as a Hotel. Think of it as a secure route to your home network. DD-WRT was no exception. DD-WRT allowed multiple VPN sessions whereas many routers only allow one. I only need one at any given time so the number supports isn’t a big deal.

QOS: Quality Of Service is not something all routers offer. With QOS individual hosts can be given different priorities to the available WAN connection bandwidth. In addition to hosts, network protocols can be prioritized as well. This is especially useful for degrading peer to peer (P2P) traffic such as bit-torrent if needed, or upgrading voice over IP (VOIP) traffic.

Filtering: Filtering give the ability to block access to sites containing certain words in their body content or URL. It can also be used to completely block certain traffic such as P2P. DD-WRT allow these to be applied in ranges. I had a range for devices I own, and a range for guest devices (managed through DHCP reservations). The guest devices had all P2P traffic blocked.

DDNS: DDNS is Dynamic DNS. This allows the router to send WAN IP address updates to a service provider of your choice when the WAN IP address changes. The service provider could be a DNS provider. For example if you host a web site from a machine in your home, you have a leased WAN IP address (most common), and have a domain name myawesomewebsitemachine.com, updating the DNS record is mandatory if you want/need continual access to it. In my case I was pushing updates to DNS-O-Matic (http://www.dnsomatic.com), which in turn updated OpenDNS (http://www.opendns.com) so my content filtering continues to abide by my rule definitions (since its based on incoming WAN IP match).

Traffic Monitor: This gives the ability to see how much bandwidth is being sent in and out of the WAN connection. Initially I was using this to monitor the monthly usage as there was a usage cap set by my ISP. Later it just become trivia to get an idea of the household usage.

So why would I want to leave?

DD-WRT is actively being updated to add features and provide security fixes. But… There’s always a but. As the router hardware gets older it sees less and less updates in favor of newer hardware. There are exceptions to that. In my case I am using an ASUS RT-N16 router. In the entire time I was running DD-WRT, there was one update. And that update was in 2010.

My DD-WRT firmware was almost 5 years old. In the last year there have been several security issues surrounding VPN. I don’t use VPN often, but when I do I want it to be secure. The last time I used it was April 2015. I was nervous leaving it on for the duration I needed it.

I started looking at updates for DD-WRT and found there may be one, but figuring out which firmware and where to get it was proving to be a difficult task – harder than it needs to be (links to links to links from the main DD-WRT site, and maintained by users only known by handles). For me, it boiled down to a matter of trust at that point. How do I know there was no backdoor embedded or other malicious code added?

What did I switch to?

I looked at some alternatives like Tomato (http://www.polarcloud.com/tomato) and OpenWRT (https://openwrt.org), but ultimately decided to use ASUS’ own firmware. The firmware ASUS initially shipped on the RT-N16 was not the greatest. If I recall correctly it was a 1.x version that last time I looked at it. I also have an ASUS RT-N66U which serves as an access point. I’ve seen their latest interface and have been happy with it and the updates it receives. I looked at their latest offering for the RT-N16, which is now called ASUSWRT, and found that it is actively being updated and has basically the same version as the RT-N66U. I chose this as my first option. If I don’t like it in the long run, I’ll look at OpenWRT since it appears to be actively updated on the RT-N16 as well.

What is missing?

Of all the features of DD-WRT that I was using, the only feature not included in the current ASUSWRT firmware is local DNS. This was the primary reason I went to DD-WRT. I thought about how often I actually reference another machine by name, vs bookmark or other predefined link. As it turns out, it’s not that often. Thus, I committed to the ASUSWRT.

How did I convert?

I backed up the the DD-WRT configuration to a file. I also printed (to PDF) the contents of each of the interface configuration pages for reference.

I logged into the router using the command line, and executed “erase nvram”.

I then used DD-WRT update firmware to load the ASUSWRT firmware. At completion, the router reboots itself.

When it came back up, I renewed the lease on my computer so it could communicate with the router again, since the primary router address and subnet changed.

I logged into ASUSWRT and used the reset router to factory defaults and rebooted again.

This time when it was back up, I logged into ASUSWRT and immediately changed the routers primary address and subnet. Then again, reboot.

I renewed the lease on my computer again so I could again communicate with the router again, since the address and subnet had been changed again.

I logged into ASUSWRT again, then went through all the settings and configuring what I needed.

What did I end up with?

DHCP: A given, standard feature of all routers.

VPN: Not as robust as the DD-WRT solution which supports multiple connections, but it is current and secure and supports the single connection I need from time to time.

QOS: Ability to prioritize different traffic on the network by protocol or host.

Filtering: Ability to filter (block) websites based on content or URL.

DDNS: Ability to update external DNS or other services with the local WAN IP address when it changes.

Traffic Monitor: Ability to see traffic patterns on the network. This screenshot shows the first day of usage:

+ Labeled QOS Entries: This was a pleasant bonus. In DD-WRT, QOS entries are listed as MAC addresses only (no names), so you need a cross reference table to identify what device is what. Having names makes it simple to see the Ooma VOIP phone and quickly setting it to highest priority. There are 5 priorities: Highest, High, Medium, Low, and Lowest.

+ QOS Tuning: ASUSWRT gives the ability to tune the QOS priorities to bandwidth specifications you want for both upload and download. All devices on my network are accounted for and given priorities from Highest to Medium. Guest traffic will land on Low by default thanks to the next item (Unmatched QOS). In this screenshot you can see I gave Low and Lowest extremely tight limits:

+ Unmatched QOS: Unmatched QOS traffic is automatically mapped to the “Low” setting. You don’t have to worry about a non-accounted for device sucking up all the bandwidth.

+ The GUI interface is a lot nicer to look at than DD-WRT’s. I like the status screen in particular:

Summary

After the first two days I only ran into 1 instance where I tried to reference a device on the network by name. Losing Local DNS has had minimal impact. If it becomes too much of a problem I may look at enabling DNS on the Synology NAS.

The only complaint I have is that even though the wireless is turned off, it still shows the SSID.

There is also a modified version of ASUSWRT called “ASUSWRT-Merlin” (http://asuswrt.lostrealm.ca) that adds many features. I may look at this in the future should I replace the RT-N16.